Host Perimeter Defense - SANS ©2001 1Host Perimeter Defense Security Essentials The SANS Institute Most of us have a problem.. Host Perimeter Defense - SANS ©2001 3Host Perimeter Defense
Trang 1Host Perimeter Defense - SANS ©2001 1
Host Perimeter Defense
Security Essentials The SANS Institute
Most of us have a problem We are under attack At this very moment, our internet-connected computer systems are being subjected to a surprising number of probes, penetration attempts, and other malicious attention
In this talk, we will discuss the types of attacks that are being used against our computers, and how to defend against these attacks You will learn about both free and commercial software products that will help you improve the security of your systems These products present a variety of solutions, ranging from easy-to-configure, “hassle-free” products that provide a reasonable level of security, to more complex solutions that provide more stringent measures for high-value assets
Trang 2Host Perimeter Defense - SANS ©2001 2
Agenda
• Do we have a problem?
• Who is vulnerable?
• Threats and types of protection
• Features to look for
Trang 3Host Perimeter Defense - SANS ©2001 3
Host Perimeter Defense
• Defends the borders of your
computer
• Complements network perimeter
defense
– Additional layer of protection
• May also be first line of defense
Host perimeter defense is just what it sounds like: Defending the perimeter of the host itself - the borders of your computer
Most security-conscious organizations protect the borders of their network with tools such as firewalls or packet-filtering routers In this situation, host perimeter defense complements network
perimeter defense by adding a second layer of security Even if an intruder is able to penetrate your network, he or she will then have to penetrate any host-based security to access protected hosts on your network
There are also instances when host perimeter defense may be your first line of defense This is true,
of course, if there is no network protection This would be the case, for instance, where your
network security is bypassed - for example, through a connection to a dial-up server inside your firewall It is also the case for systems that are not on a standard network - such as home computers-which nevertheless connect to the Internet through an Internet Service Provider (ISP)
Trang 4Host Perimeter Defense - SANS ©2001 4
Who is Vulnerable?
• Any host that is:
– Directly connected to the internet – “Protected” behind a firewall
– Networked with any other hosts (even if not connected to the internet)
– Connected via modem, cable modem, ISDN, DSL, etc.
Any networked host may be a candidate for protection using host perimeter defense solutions, including:
• computers directly connected to the Internet Any host directly connected to the Internet is visible
to (and potentially vulnerable to!) any one of the several million other Internet users around the globe Essentially, anyone from Russia to Brazil to the person next door can “see” your computer -and may be able to compromise it
• computers “protected” by a firewall A firewall is not a bulletproof solution to your security problems Dial-up connections may bypass your firewall’s security completely “Legitimate” traffic allowed through the firewall may contain dangerous code, such as malicious Java applets in HTTP traffic, or Trojan executables in electronic mail (SMTP) traffic Users may install unauthorized software or modems that create security holes
• hosts on a private network Even if you are completely disconnected from the Internet, you may
need to protect your hosts from each other A large number of security breaches come from inside an
organization Employees trying to steal information for a competitor, or disgruntled employees who might want to damage or destroy information, present a real threat
The information on threats and defenses in the following slides can be applied to any of the above scenarios However, for the purpose of this course, we will focus on one scenario in particular that is often overlooked
Trang 5Host Perimeter Defense - SANS ©2001 5
Impact of the Problem
• Personal information
– Financial records – Account names/passwords
• Business information
– Home-based business – Telecommuters
– Connect to corporate LAN from home
This problem can be a serious one for home users Sensitive information such as financial records and account numbers, usernames and passwords may all be stored on a home PC - all of which provide tempting targets for attackers
However, this problem is no longer limited to private home users Businesses can be seriously affected as well, as the line between home and business computers has increasingly blurred over the past few years Businesses are operated out of peoples’ homes; employees work at home and
“telecommute;” users take work home, or use home computers to dial-in to corporate networks and electronic mail servers All of these scenarios mean that, in addition to sensitive personal
information, it is highly likely that sensitive business information can be found on “personal” computers
Which is more difficult for an attacker: To break into a corporate network that is protected by firewalls, intrusion detection software, and skilled administrators who regularly review log files? Or
to break into the CEO’s unprotected home PC, steal his userid and password, and log straight in to the corporate network using the stolen information?
Trang 6Host Perimeter Defense - SANS ©2001 6
Do We Have a Problem?
Many SANS instructors use personal firewalls of course, and a number of them use flashing icons to inform you that an attack has occurred When Stephen Northcutt teaches intrusion detection he will often leave the BlackIce icon flashing yellow until some student comes up and says “I can’t stand it.”
This screen shot was taken April 14, 2001 As you can see this computer has been hit with a number
of attacks Please notice that on your screen you see three DNS probes This was about three weeks after the Lion worm, malicious code that attacks Linux computers and DNS servers Clearly it is still running at this time If you are tuning out because you are a Windows user, the Kak and Qaz
Windows worms did a lot of damage only six months ago So, you are going to get hit
Trang 7Host Perimeter Defense - SANS ©2001 7
What are the Threats?
Trang 8Host Perimeter Defense - SANS ©2001 8
Known Vulnerabilities
• Operating systems and common
software
– Inherent weaknesses – Default configuration – Misconfiguration
Unfortunately, NO operating system is secure “out of the box,” and attackers will take advantage of security holes in default OS or application configurations, or user/administrator misconfigurations Another vulnerability is sample applications that are often included in web server software or software development kits These samples are not intended for production systems (read: they are NOT SECURE) and can open up additional security holes in your system
These “holes” are often well-known and well-publicized in the “black hat” community Worse, for any vulnerability that has been known for a period of time, there is most likely a script that exploits the vulnerability These scripts are readily available on the Internet - making it simple for even the most inexperienced attacker to launch sophisticated attacks on your systems
Trang 9Host Perimeter Defense - SANS ©2001 9
Known Vulnerability Defense
• Choose a secure OS
• Build a secure configuration
• Install updates and patches
• Remove sample applications
• Stay informed
Your best defense against known vulnerabilities is information and education
• Choose a secure OS and learn to configure it properly Most vendors and some third-party
organizations now provide recommendations on configuring operating systems and applications securely Obtain these documents and apply them per your organization’s needs
• Keep your software up-to-date with upgrades and patches Vendors regularly release updates
and patches, many of which address security issues Keep your systems up-to-date with the latest patches
• Remove sample applications Do not install sample applications, unless they are loaded on a test
system If sample applications must be installed, secure them just as you would any other software component
• Stay informed New security vulnerabilities are released daily A quick and easy way to stay
up-to-date is to subscribe to security mailing lists Several excellent public lists are given at the end of this presentation Most vendors also have their own mailing lists, or at least post security notices on their web sites
Trang 10Host Perimeter Defense - SANS ©2001 10
Malicious Code
• Program that performs harmful,
unauthorized action – Viruses
– Trojans – Java applets and Activex controls
• Often easily bypass network
security
One of the broadest categories of threats to your network hosts is that of malicious code Malicious code
is defined as an executable program that performs an action (often harmful or destructive) without the knowledge of the user
Malicious code includes viruses and Trojan software (malicious software masquerading as a useful program or utility) Recent virus incidents, such as those surrounding the ILOVEYOU virus or the Melissa virus, indicate the seriousness of the threat The attacker who gained access to Microsoft’s network in October 2000 and viewed source code for a future Microsoft product is suspected to have gained access to internal systems via the QAZ virus, which installs a secret ‘back door’ to allow access to
a system Over 40,000 known viruses exist as of this writing, and the number continues to increase
A newer threat is that presented by Java applets and ActiveX controls These are bits of code, like programs, that run within a web browser when you access a web page that contains the applet (Java will run in any browser; ActiveX is specific to Microsoft Internet Explorer.) Both types of code are supposed
mini-to be “safe” and execute only within restricted boundaries on the user’s computer However, a number of security holes have been found in this technology Malicious applets can perform actions such as reading
files (such as a password file) or deleting files Worse, most applets run within the browser without the
user’s knowledge
A particular danger of malicious code is that it can easily bypass security measures such as firewalls This
is because malicious code is often hidden in “legitimate” network traffic Your firewall probably allows HTTP (Web) traffic into your network, but this traffic can contain hostile Java and ActiveX code You probably also allow SMTP (electronic mail) traffic, but electronic mail often contains attachments with macro viruses or Trojan software
Trang 11Host Perimeter Defense - SANS ©2001 11
Malicious Code Defense
• Anti-virus software
• Java/Activex protection
Probably the most well-known form of host perimeter defense is anti-virus software, which defends your computer from malicious code such as viruses and some common Trojan/backdoor programs (such as NetBus or Back Orifice) Because anti-virus software is covered in its own course, we will only mention it briefly here
However, it is important to note that some anti-virus vendors are now offering additional protection against hostile Java and ActiveX controls For example, both Norton Anti-Virus and McAfee VirusScan offer some degree of Java/ActiveX protection Check your product specifications carefully; some vendors’ offerings may only provide protection for specific browsers (i.e for Netscape Navigator OR Microsoft Internet Explorer, but not both)
Another means to defend against malicious Java and ActiveX controls is to tighten your browser’s security Both Netscape Navigator and Microsoft Internet Explorer offer means to customize browser security to allow, prompt for, or disallow actions such as Java and ActiveX scripting One catch to tightening security in this way is that you may block safe applets along with hostile ones -some Web sites will not display correctly without scripting enabled, or will pop up an annoying number of warning messages asking if you want to run an applet
Trang 12Host Perimeter Defense - SANS ©2001 12
All of these ports represent a potential “door” through which someone can enter your computer A computer will typically “listen” on a port until a connection is attempted Depending on the
authorization (if any!) required, the system will then accept or reject the connection attempt However, it’s a good bet that most users don’t know what a port is, much less which ports may be open on their computers
Trang 13Host Perimeter Defense - SANS ©2001 13
Unauthorized Connection
Defense
• Determine open ports
• Block ports that are not needed
• Monitor connection attempts
The first step in protecting your system from unauthorized connection attempts is to determine which
ports are actually open on your system For example, in Windows 9x or NT, you can type netstat
-a at the command prompt to display a list of all open connections to your system.
This utility is good for generating a “snapshot” view of system activity, as it will also identify the open ports on your system - including some you may not know you have!
However, it does not provide a means to block ports that you don’t want left open, or to monitor port activity on an ongoing basis That is the purpose of personal firewall and host-based intrusion detection software
Trang 14Host Perimeter Defense - SANS ©2001 14
Personal Security Software
• Combine various firewall and IDS
technologies to successfully defend
less-Packet-filtering/IP-level data flow control requires more technical expertise on the part of the user in order to configure properly Access is controlled by rules that specify which protocols are allowed
or disallowed For example, a user may create rules that block all traffic except for HTTP, SMTP, and POP3
In the following slides we will explore examples of products that demonstrate the effective
application of these technologies to defend our stations from perimeter attacks
Trang 15Host Perimeter Defense - SANS ©2001 15
Network ICE BlackICE Defender
One example of a packet-filtering personal firewall is Network ICE’s BlackICE Defender It combines a packet-filtering firewall component with an intrusion detection component that has stateful inspection
capabilities, monitoring your network connection for "signatures" of popular attacks
Many host-based security systems like BlackICE Defender will combine multiple technologies to optimize the overall effect on the station's security BlackICE Defender uses its intrusion detection system in
conjunction with its packet-filtering capabilities to provide an enhanced form of stateful inspection It can actually determine whether the incoming traffic is "malicious" in nature, before allowing the traffic access to the system Upon discovery of an attacker, BlackICE Defender will not only block them from further access, and log the attack and all packets from the attack, it will go so far as to attempt to collect information about the attacker, including host name and MAC address
Even if the hostile traffic in question is allowed in by the current packet filtering rules, the stateful inspection process will still detect the attack and deny the perpetrator access For example, say you were running an FTP server on your station and had a configuration allowing incoming FTP traffic If a known attack was tried on port 21 (the default port for FTP traffic) BlackICE would identify the traffic as hostile in nature and block the attacker from accessing the system
The negative aspect of such an inspection system is that false positives can be registered, and in some cases prevent normal usage between systems BlackICE circumvents this issue by allowing the editing of the
Trang 16Host Perimeter Defense - SANS ©2001 16
BlackICE Defender Security Configuration
Easy configuration is an important feature of a good personal security system The common
dilemma when designing such a system is how to make the software easily configurable for a novice while allowing the flexibility that an advanced user will need To configure the default packet-filtering rules for BlackICE Defender, two different systems are used For the novice, BlackICE Defender provides an easy to use graphical interface that allows you to choose between four pre-configured "levels" of protection, ranging from "trusting" to "paranoid." Each setting blocks a progressively more aggressive range of TCP and UDP ports “Trusting” doesn’t block any TCP or UDP ports “Cautious” blocks TCP ports 0-1023 “Nervous” blocks all TCP ports and UDP ports 0-
1023 While “Paranoid” blocks all TCP and UDP ports (Note: These rules refer to incoming traffic
ONLY All outgoing traffic and TCP return traffic is allowed no matter which security level is selected.)
Trang 17Host Perimeter Defense - SANS ©2001 17
BlackICE Defender FIREWALL.INI
[MANUAL IP ACCEPT]
[MANUAL UDP low REJECT]
REJECT, 137, NETBIOS Name Service, 1999-07-22 20:26:53,
PERPETUAL
REJECT, 138, NETBIOS Datagram Service, 1999-07-22
20:26:53, PERPETUAL
[MANUAL UDP high ACCEPT]
[MANUAL TCP low REJECT]
ACCEPT, 113, identd, 1999-07-19 20:50:26, PERPETUAL
REJECT, 139, SMB, 1999-07-19 20:50:26, PERPETUAL
[MANUAL TCP high ACCEPT]
For advanced users, BlackICE provides an editable configuration file, FIREWALL.INI Manual
packet-filtering rules can be applied to allow or disallow various types of protocol level traffic This
is how to custom-tailor BlackICE Defender to suit a more advanced environment For example, you can set packet-filtering rules to allow a local HTTP or FTP server on your system An example filter would be as follows:
Under the [MANUAL TCP low REJECT] heading of the FIREWALL.INI you would enter a line
like:
ACCEPT, 80, HTTP, 2000-10-16 20:30:53, PERPETUAL
This line is not unlike the packet filters that are applied in various commercial firewalls, including router access control lists It would allow any HTTP traffic on port 80 In this example, because the BlackICE configuration is set to “paranoid” the default for TCP low traffic (traffic below port 1024)
is set to REJECT (hence the name of the section heading) Therefore, the default rule applied to any
traffic would be an implicit deny, which means disallow ALL traffic, unless it is otherwise noted If
the security setting was set to “trusting” then the default setting for TCP traffic below port 1024
would be an implicit accept In that case, rules would be added only if there were particular traffic
types that needed to be denied Either way, a custom configuration can be tailored for almost any need
Trang 18Host Perimeter Defense - SANS ©2001 18
Other Packet-filtering Personal
Firewalls
• Dynamic Solutions, Inc - NukeNabber
• Network Associates - PGP Desktop Security
• Network Flight Recorder - BackOfficer Friendly
….and for *nix users:
• Psionic Software - Portsentry
This slide lists some additional Packet-Filtering products available for host-based protection